DevSecOps Pipeline using free SAST, DAST and SCA tools
This GitHub Action runs Snyk, SonarCloud and OWASP ZAP on your repository to check for security issues and vulnerabilities in your code and your third-party dependencies.
This is provided by Snyk, all you need is a Snyk account and add the Snyk token as a secret.
This is provided by SonarCloud, the SaaS version of SonarQube, all you need is a SonarCloud account and add the Sonar token as a secret. Also need to create the sonar-project.properties to your repository root.
This is provided by OWASP ZAP, an open-source web proxy tool from OWASP.org. We are only leveraging the Automated Scanning features of ZAP. You only need to point ZAP to scan the application once it is built.
SonarCloud GHA - https://github.com/marketplace/actions/sonarcloud-scan
Snyk GHA - https://github.com/marketplace/actions/snyk
OWASP ZAP GHA - https://github.com/marketplace/actions/owasp-zap-baseline-scan